Language Selection

English French German Italian Portuguese Spanish

Visa to Bar Transactions by Processor

Filed under
Security

Visa USA said yesterday that it would stop allowing the payment processor CardSystems Solutions to handle its transactions, months after the processor left the records of millions of cardholders at risk for fraud.

"CardSystems has not corrected, and cannot at this point correct, the failure to provide proper data security for those accounts," said Tim Murphy, Visa's senior vice president for operations in a memorandum sent to several banks. "Visa USA has decided that CardSystems should not continue to participate as an agent in the Visa system."

Cardholders and merchants should not be affected by the change.

Visa said its decision to remove CardSystems came after a review and an independent investigation found that the payment processor had improperly stored cardholder data and did not have the proper controls in place.

It is unclear if MasterCard and American Express will take similar action, but with Visa accounting for more than half of all card transactions, the move raises questions about the future of CardSystems.

"I've never heard of them booting off a processor," said Avivah Litan, a security analyst at Gartner Inc., a technology research group. "The worst thing that I've heard is a processor that had to cough up $1 million."

The move came at least two months after Visa first learned that data had been compromised and just days before its executives, along with those of other major card companies, have been called to testify in Washington about their security practices. The chief executive of CardSystems, John M. Perry, is also expected to testify on Thursday.

In a statement released yesterday, CardSystems said Visa's decision was unexpected and upsetting. "We are disappointed and very surprised that Visa has decided to take this action today, not only because of the impact that it will have on our employees, but the disruption that it will cause to our 110,000 merchant customers," the processor said in a statement. "We hope that Visa will reconsider."

Visa has given at least 11 banks, which hired CardSystems to handle the merchant transactions, until the end of October to change processors, the memo said. Until then, CardSystems will be allowed to process Visa transactions as long as it has corrected any problems and allows a Visa-affiliated monitor on site to oversee its operations in Tucson. CardSystems is also banned from handling Visa transactions from its international affiliates or any new merchants, processors or member banks in the United States.

Visa had been weighing the decision for a few weeks but as recently as mid-June said that it was working with CardSystems to correct the problem. CardSystems hired an outside security assessor this month to review its policies and practices, and it promised to make any necessary upgrades by the end of August. CardSystems, in its statement yesterday, said the company's executives had been "in almost daily contact" with Visa since the problems were discovered in May.

Visa, however, said that despite "some remediation efforts" since the incident was reported, the actions by CardSystems were not enough.

"Visa cannot overlook the significant harm the data compromise and CardSystems' failure to maintain the required security protections has had on member financial institutions and merchants as well as the significant concerns it raised for cardholders," the company said in a statement.

At this point, it is unclear what the other branded card companies will do. MasterCard has previously said that it was giving CardSystems a "limited amount of time to demonstrate compliance with MasterCard security requirements" but never laid out a specific timetable.

Sharon Gamsin, a MasterCard spokeswoman, did not return calls seeking comment. Judy Tenzer, an American Express spokeswoman, said the company did not comment about its relationships with vendors. Leslie Sutton, a Discover Financial spokeswoman, could not offer an immediate response.
Visa's decision is the latest development since the disclosure in mid-June that the CardSystems computer network had been compromised, putting the cardholder names, account numbers and security codes of as many as 40 million credit and debit cardholders at risk for fraud. The information of about 22 million Visa cardholders was exposed; MasterCard reported the data of 14 million of its cardholders was potentially at risk; and the rest largely belonged to customers of American Express and Discover.

At the time, Mr. Perry of CardSystems acknowledged that the company had been improperly storing data, violating Visa and MasterCard security rules. He said data thieves directly obtained information related to some 200,000 cardholder accounts. The F.B.I and a group of federal banking regulators are now investigating.
In its statement, Visa offered its most scathing indictment of those security violations to date. The chief executive of CardSystem had "stated that the company knowingly retained unmasked magnetic stripe cardholder data, purportedly for 'research purposes,' " Visa said. "Visa's security requirements were adopted precisely for the purpose of protecting cardholder information and guarding against the type of data compromise recently experienced by CardSystems."

In the letter Visa sent to the banks, Mr. Murphy suggested that the data breach occurred as early as August 2004.

By ERIC DASH
The New York Times.

More in Tux Machines

today's leftovers

  • The future of xinput, xmodmap, setxkbmap, xsetwacom and other tools under Wayland
    This post applies to most tools that interface with the X server and change settings in the server, including xinput, xmodmap, setxkbmap, xkbcomp, xrandr, xsetwacom and other tools that start with x. The one word to sum up the future for these tools under Wayland is: "non-functional". An X window manager is little more than an innocent bystander when it comes to anything input-related. Short of handling global shortcuts and intercepting some mouse button presses (to bring the clicked window to the front) there is very little a window manager can do. It's a separate process to the X server and does not receive most input events and it cannot affect what events are being generated. When it comes to input device configuration, any X client can tell the server to change it - that's why general debugging tools like xinput work.
  • Please don't use pastebins in bugs
  • Linux Top 3: SparkyLinux 4.5, Mageia 5.1 and Peppermint 7
    SparkyLinux is (yet another) Debian based Linux distribution. The SparkyLinux 4.5 update codenamed "Tyche' was released on December 3, providing users with multiple desktop choice other than GNOME. SparkLinux 4.5 ships with KDE, LXDE, LXQt, MATE and Xfce.
  • Upcoming Linux Distributions Releasing In December 2016
    In December 2016, a big Linux distribution release is taking shape in the form of Linux Mint 18.1 Serena, flavored by Cinnamon 3.2. It’ll be accompanied by the release of security and privacy-focused Anonymous Live CD Tails 2.9.
  • AMD Extends Strategic Partnership with Mentor Graphics for Linux-based Embedded Solutions
  • Samsung Z2 gets Firmware Update to Tizen 2.4.0.6 Z200FDDU0BPK3 in India
    Samsung’s latest Tizen-based smartphone, the Z2 model number SM-Z200F, has had a new software / firmware update land in India today. The update takes it to Tizen version 2.4.0.6., firmware Z200FDDU0BPK3. The update log mentions the following improvements: Improved send SOS message (panic mode) and also improvements to the security of the device. Additional bug fixes and performance improvements may have also been bundled in.

Leftovers: Software

  • choqok 1.6 Twitter Client was released and completely ported with KDE Frameworks 5
    Choqok is a fast, efficient and simple to use twitter client for Linux (especially built for the KDE desktop environment) that is installed by default to some of the Linux distribution which shipped with KDE Desktop Environment. The name comes from an ancient Persian word, means Sparrow!
  • 10 open source tools for your sysadmin toolbox [Ed: Terrible list which starts with two suggestions of Microsoft EEE]
    Sysadmins, no matter what platforms they work on, are awash in great open source software tools. In this article, we highlight well-known—and not-so-well-known—tools that have released new versions in 2016.
  • NetworkManager 1.2.6 Lets You Activate Multiple PPPoE Connections Simultaneously
    Beniamino Galvani was proud to announce the release and general availability of a new maintenance update to the stable NetworkManager 1.2 series of the open source network connection manager software for GNU/Linux distributions. NetworkManager is the most used network connection manager, adopted by almost all Linux-based operating systems on the market, and NetworkManager 1.2.6 is now the most advanced release of the 1.2 stable series, coming four months after the NetworkManager 1.2.4 update to fix a few bugs and regressions reported by users since then.
  • GNOME loves to cook
    With the upcoming 20th birthday of GNOME next year, some of us thought that we should make another attempt at this application, maybe as a birthday gift to all of GNOME. Shortly after GUADEC, I got my hands on some existing designs and started to toy around with implementing them over a few weekends and evenings. The screenshots in this post show how far I got since then.

today's howtos

Linux Foundation: Blockchain and Automotive Grade Linux

  • Linux Foundation’s Blockchain Collective Hyperledger Hits 100 Members
    Hyperledger aims to enable organizations to build robust, industry-specific applications, platforms and hardware systems to support their individual business transactions by creating an enterprise grade, open source distributed ledger framework and code base.
  • The Blockchain Milestone You May Have Missed
  • Sasken becomes member of Automotive Grade Linux
    Sasken Communication Technologies Ltd has announced its membership with Automotive Grade Linux as its bronze member. This will enable Sasken to provide solutions to customers on Automotive Grade Linux (AGL). Sasken will provide product development and system integration services for automotive customers spanning in-vehicle infotainment (IVI), instrument cluster, heads-up display and telematics.